keycloak client cleanup
This commit is contained in:
@@ -772,7 +772,7 @@ Internet → Traefik → Service:8080 → Auth Sidecar:8080 → localhost → Yo
|
||||
Three authentication modes are supported:
|
||||
1. **Token-based**: Static tokens (simple, good for service-to-service or internal apps)
|
||||
2. **OIDC**: OpenID Connect (full SSO, good for user-facing apps)
|
||||
3. **MCP**: OAuth 2.0 for MCP servers via RFC 9728 / RFC 7591 (good for MCP tool servers requiring OAuth-based access control)
|
||||
3. **MCP**: OAuth 2.0 for MCP servers via RFC 9728 (Protected Resource Metadata); Keycloak provides native RFC 7591 Dynamic Client Registration (good for MCP tool servers requiring OAuth-based access control)
|
||||
|
||||
---
|
||||
|
||||
@@ -1013,7 +1013,7 @@ auth:
|
||||
scopes: "openid,profile,email" # OIDC scopes (optional)
|
||||
callbackPath: /auth/callback # OAuth callback path (optional)
|
||||
|
||||
# MCP mode configuration (RFC 9728 / RFC 7591)
|
||||
# MCP mode configuration (RFC 9728)
|
||||
mcp:
|
||||
resource: "" # Protected resource URL (required for MCP)
|
||||
authority: "" # Authorization server URL (required for MCP)
|
||||
@@ -1161,7 +1161,7 @@ ingress:
|
||||
host: mcp-server.forteapps.net
|
||||
```
|
||||
|
||||
The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) for authorization server discovery and RFC 7591 (OAuth 2.0 Dynamic Client Registration) for automatic client registration. MCP clients discover the authorization server and scopes from the `/.well-known/oauth-protected-resource` endpoint served by the sidecar.
|
||||
The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) for authorization server discovery. Dynamic Client Registration (RFC 7591) is handled natively by Keycloak; MCP clients discover the authorization server and scopes from the `/.well-known/oauth-protected-resource` endpoint served by the sidecar and then register directly with Keycloak.
|
||||
|
||||
#### Example 4: Disabling Authentication
|
||||
|
||||
|
||||
@@ -1736,7 +1736,7 @@ spec:
|
||||
2. `generate-auth-oidc-secret` - Creates Secret for OIDC mode
|
||||
3. `inject-sidecar-token` - Injects auth sidecar for token mode
|
||||
4. `inject-sidecar-oidc` - Injects auth sidecar for OIDC mode
|
||||
5. `inject-sidecar-mcp` - Injects auth sidecar for MCP OAuth mode (RFC 9728 / RFC 7591)
|
||||
5. `inject-sidecar-mcp` - Injects auth sidecar for MCP OAuth mode (RFC 9728)
|
||||
6. `generate-auth-network-policy` - Creates NetworkPolicy to restrict ingress
|
||||
|
||||
#### Trigger Annotation
|
||||
@@ -1776,7 +1776,7 @@ policies.forteapps.io/auth-image: "ghcr.io/fortedigital/auth-sidecar"
|
||||
policies.forteapps.io/auth-image-version: "latest"
|
||||
```
|
||||
|
||||
**MCP Mode** (OAuth 2.0 for MCP servers, implements RFC 9728 / RFC 7591):
|
||||
**MCP Mode** (OAuth 2.0 for MCP servers, implements RFC 9728; MCP clients use Keycloak's native RFC 7591 endpoint for Dynamic Client Registration):
|
||||
```yaml
|
||||
# Annotations (required)
|
||||
policies.forteapps.io/auth: "true"
|
||||
@@ -2004,7 +2004,7 @@ Pod: Auth Sidecar (port 8080)
|
||||
├─ Validate credentials
|
||||
│ • Token mode: Check Bearer token
|
||||
│ • OIDC mode: Validate session or redirect to IdP
|
||||
│ • MCP mode: OAuth 2.0 via RFC 9728 discovery / RFC 7591 dynamic registration
|
||||
│ • MCP mode: OAuth 2.0 via RFC 9728 discovery; Keycloak handles RFC 7591 dynamic registration natively
|
||||
↓
|
||||
Forward to Application (localhost:3000)
|
||||
↓
|
||||
|
||||
Reference in New Issue
Block a user